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SUSAN Y. SOONQ 
aERK.U.S. DISTRICT COURT 
NOftW DISTRICT OF CAUFOfi':;; 
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Dtfetuiant(5) 


CRIMINAL COMPLAINT 



1, the complainant in tiiis case, state tiiat tiie following is true to the best of my mowledge and belief. 

Oaoraboatthedate(s)of Februa ry 26,2019 to July 11,2019 inthecountyof SanFrancisco 

. 

Northern 


in tile 


District of 


California 


Code Section 

18 U.S.C. §§ 1030(a)(5)(A). (c)(4) 
(B)0).and(c)(4)(A)(l)(l) 


, the defendant(s) violated: 

Offense Description 


Intentional Damage to a Protected Computer 

Maximum 10 years term of Imprisonment; maximum tine of $250,000; 
maximum term of supervised release of 3 year^; mandatory $100 sp^al 
assessment 





^ A f) ^ 

f Ji^ge's sign^m 


City and state: 


San Francisco, California 


Hon. Elizabeth D. Imports, U.S. Magistrate Judg* 


Printed name and tide 


AFFIDAVIT OF FBI SPECIAL AGENT ROBBIE J. R6BERTSON 
IN SUPPORT OF A CRIMINAL COMPLAIljJT 

I, Robbie J. Robertson, Special Agent of the Federal Bureau of Investigation (“FBI”), 
being duly sworn, hereby declare as follows: 

AGENT BACKGROUND AND BASES FOR STATEMENTS 

1. I am a Special Agent with the FBI assigned to investigate cyber-crime, and have 
been so employed since September 2017. My training included attending FBI new agent basic 
training during which I received instruction on various aspects of federal investigations. Since 
May 2019,1 have been assigned to investigate high technology and cyber-crime and have been 
involved in investigations of alleged computer-related and intellectual property offenses, 
including computer intrusions, trafficking in coxmterfeit goods, wire fraud, internet extortion, and 
other criminal matters. As an FBI agent, I am authorized to investigate violations of United 
States law and am a law enforcement officer with the authority to execute warrants issued under 
the authority of the United States. Prior to my current position as a Special Agent with the FBI, I 
obtained a Bachelor of Science degree in Information Technology. Duiing my career as a 
Special Agent of the FBI, I have received training and possess actual e>:perience relating to 
federal criminal procedures and federal statutes. I have also received specialized training and 
instruction in the field of investigation in computer-related crimes. I h^ve had the opportunity to 
conduct, coordinate, and participate in numerous investigations relating to computer-related 
crimes. I have participated in the execution of numerous search warrants and arrest warrants 
conducted by the FBI. 

2. The statements contained in this affidavit are based, in part, on my training, years 
of investigative experience, and my personal participation in this investigation. The statements 
contained in this affidavit are sometimes based on information provided by other FBI Special 




Agents, other government agencies, as well as information derived fronj interviews of victim 
companies. 

3. Because this affidavit is submitted for the limited purpose of securing an arrest 
warrant, I have not included each and every fact known to me that supports probable cause. This 
affidavit does not purport to set forth all of my knowledge of, or investigation into, this matter. I 
have summarized information, including information received from law enforcement agents and 
officers, documents, and records. I have set forth those facts that I believe are sufficient to 
support the issuance of the requested arrest warrant. 1 am not relying upon facts not set forth 
herein to support my conclusion. 

4. lam one of the agents participating in the investigation |f Shariq Hashme 
(“HASHME”) for offenses relating to the unauthorized access and damage to computers 
belonging to Company A, a San Francisco, California-based data analysis company. 

5. As part of that ongoing FBI investigation, I make this afiiidavit in support of an 
application by the United States of America for a complaint and arrest warrant for HASHME. 

6. As set forth herein, there is probable cause to believe thy HASHME knowingly 
caused the transmission of a program, information, code, and command, and as a result of such 
conduct, intentionally caused damage without authorization, to a protected computer, and 
thereby caused loss to one or more persons during a one-year period affecting protected 
computers aggregating at least $5,000 in value, in violation of Title 18, United States Code, 
Sections 1030(a)(5)(A) and 1030(c)(4)(B)(i). 

APPLICABLE STATUTES 

7. Under Title 18, United States Code, Section 1030(a)(5)( A), it is unlawful for an 
individual to “knowingly cause[] the transmission of a program, information, code, or command. 
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and as a result of such conduct, intentionally causes damage without authorization, to a protected 
computer.” A protected computer is a computer that is used in or affectijng interstate or foreign 
commerce. See 18 U.S.C. § 1030(e)(2)(B). The term “damage” means impairment to the 
integrity or availability of data, a program, a system, or information. See 18 U.S.C. § 1030(e)(8). 

8. Under Title 18, United States Code Sections 1030(c)(4)(B)(i) and (c)(4)(A)(i)(I), 
the penalty for a violation of 18 U.S.C. § 1030(a)(5)(A) is a fine and imprisonment of not more 
than ten years if the offense caused (i) loss to 1 or more persons during ^y 1-year period 
aggregating at least $5,000 in value; (ii) the modification or impairment| or potential 
modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or 
more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; (v) 
damage affecting a computer used by or for an entity of the United Statjs Government in 
furtherance of the administration of justice, national defense, or nationaj security; or (vi) damage 
affecting 10 or more protected computers during any l-year period. 

FACTS SUPPORTING PROBABLE CAUSE 

Summary 

9. Beginning at least as early as on or about February 26,2|)19, continuing through 
and including on or about July 11,2019, Shariq HASHME repeatedly cjonnected to and caused 
transmissions to Company A’s internal payment database to surreptitiously alter its data and 
contents without authorization in order to divert at least approximately $40,000 in payments to 
accoimts controlled by HASHME. 

10. HASHME, who was employed as an engineer at Company A, is an individual that 
resided in 2019 in San Francisco, California before on or about April 1^, 2019, and outside the 
United States after on or about that date. HASHME worked for Company A as an employee 
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then later as a non-employee contractor during this time. 

Background of Investigation 

11. Company A is a San Francisco, California-based data analysis company. 

12. PayPal is a web-based financial services provider based in Mountain View, 
California. 

13. On May 8,2019, representatives of Company A contacted the San Francisco 
Division of the FBI to report a criminal cyber incident. According to re|)resentatives of the 
company, they discovered their internal payment database, contained initheir back-end computer 
network infrastructure, had been compromised in late April 2019. 



15. Company A reported that during this cyber incident, an jndividual connected to its 

internal payment database and altered payments that were originally directed to legitimate 
employees to divert them to a PayPal account linked to “Bruno.Day.1958@outlook.com” 
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(“Subject PayPal account”). 

Based on an internal investigation conducted by Company A, the majority 
of the altered payments made to the Subject PayPal account were in the amount of $140.00 
beginning on or about March 12,2019 and ending on or about May 6,2019. Over the course of 
this cyber incident. Company A advised that a total of approximately 100 payments were altered 
in the internal payment database and diverted to the Subject PayPal account, resulting in losses 
of at least approximately $ 14,000. 

16. Company A provided the FBI with a suspicious IP address of 182.232.191.125, 
which connected to its internal payment database around the time of one of the intrusion 
incidents on April 30,2019 at 13:39:53 UTC. IP addresses oftentimes {ire associated with a 
particular geographic area or region based on them falling within cerkiin known IP address 
ranges. The aforementioned suspicious IP address was confirmed to be. associated with the 
particular geographic area of (“geo-located”) of Thailand using open source research conducted 
by the FBI. 

17. Following the initial incident. Company A advised the FBI of another similar 
cyber incident in which an individual manipulated the internal payment database and altered 
approximately 30 additional $140.00 bonus payments to divert them to the Subject PayPal 

account; these payments were processed on or about May 6,2019, resulting in losses of at least 

i 

approximately $4,200. This similar incident took place after Company A took additional 
security measures response to the initial incident. 
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incident in which an individual manipulated the intenial payment databa|ie and altered 
approximately $15,000 in bonus paymoits, this time to div^ them to a PayPal accormt linked to 
“diagonball844@outlook.com.” The incident occurred on June 20,2019, but was not discovered 
imtil July 12,2019. No IP addresses were available, due to new database configurations at 
Company A. 

Identification of HASHME 

19. The FBI obtained records firom PayPal for the account restored to 

Bruno.Day.1988@outlook.com. In part, PayPal records provided the subscriber information, IP 
logs and transaction history for the account registered to Bruno.Day.198j8@outlook.com. From 
February 26,2019 to June 13,2019, this PayPal account received more jthan 190 payments from 
Company A that totaled approximately $26,663. The subscriber informlation of the PayPal 
account included the following: 


First Name: Bruno 
Last Name: Da 
DOB: 

Address: 





Email: draKonball844@.outlook.com 
Address: 


















23. Additionally, during the records searches, personal email addresses of 



accounts included the following; 


First Name; Shariq 
Last Name; Hashme 
DOB; 

(Entered 

Time Created^^^O^OUjfsISs!?^^ 

Bank Name; B^^ofAmerica 
Bank Account; IHHH2236 


24. Based on the PayPal records for the bruno.day. 1988@outlook.com and 

accounts, IP addresses geo-located in Thailand accessed both accounts 
during a time period relevant to the aforementioned cyber incidents. Tjiis approximate time 
period and location matched the previously-provided suspicious IP nohtd by Conq)any A, also 
geo-located in Thailand, which connected to its internal payment database on April 30,2019. 

The records below reflect a portion of relevant IP address logs; 






05 May 2019 
21;05:33 

182.232.145.215 

05 May 2019 
3;53;19 

182.232.145.215 

04 May 2019 
22;12;08 

182.232.145.215 

04 May 2019 
4;24;39 

182.232.161.90 

04 May 2019 
1;07;22 

182.232.161.90 


182.232.161.90 




'nI_AlS_Mobile 

lutemet 

Bangkok, 

Tha^d 

TH_AIS_Mobile 

1 hitemet 

Ban^k, 

Thailand 

TI 

[_AIS_MobUe 

Internet 

Bangkok, 

Thailand 

TH_AIS_MobUe 

Internet 

Bangkok, 

Thailand 

TH_AIS_Mobae 

Internet 

Ban^k, 

Thailand 

TH AIS MobUe 

Bangkok, 















































03 May 2019 
2:49:51 

182.232.161.90 

02 May 2019 
20:36:14 

182.232.161.90 

02 May 2019 
17:39:59 

182.232.161.90 

01 May 2019 
20:54:35 

182.232.194.57 

01 May 2019 
17:43:09 

182.232.194.57 

01 May 2019 
5:00:09 

182.232.194.57 

01 May 2019 
3:12:37 

182.232.191.33 


bruno.day. 1988@outlook.coin 


bnino.day.1988@outlook.com 


■ 



TH 

_AIS_Mobile 

Litemet 

TH 

, AIS_MobUe 
Ihtemet 

"te 

_AIS_Mobae 

Internet 

TH 

_AIS_Mobae 

Internet 

Th 

_AIS_Mobae 

Internet 

"th 

:_AIS_Mobae 

hitemet 

TH_AIS_MobiIe 

hitemet 


Thailand 


Bangkok, 

ThaUand 


Bangkok, 

Thailand 


Ban^k, 

Thailand 


Bangkok, 

Thailand 


Bangkok, 

Thailand 


Bangkok, 

Thailand 


Bangkok, 

Thailand 


the records provided by Bank of America included the 


2236 




26. The Bank of America records were linke d by account own^ information and 
direct deposits described below. The following transactions were observed in the transaction 
history portion of the Bank of America records for accoimt|^|^^2236, an account linked to 
the PayPal accoimt registered to||^^|||||||||||||||||||||| which mirrors PayPal withdrawals 
from the account registered to Bruno.day.1988@outlook.com: 



June 7,2019 $3,009.50 PayPal *Day Bruno S^Jose,CA 

May 31,2019 $3,009.50 PayPal *Day Bruno Jose, CA 







































































AniiiiimK 



May 24,2019 

$3,009.50 

PayPal *Day Bruno 

Sap Jose, CA 

May 10,2019 

$3,284.00 

PayPal *Day Bruno 

San Jose, CA 

April 29,2019 

$3,146.75 

PayPal *Day Bruno 

San Jose, CA 

April 19,2019 

$3,146.75 

PayPal ♦Day Bruno 

Sap Jose, CA 

April 12,2019 

$3,274.15 

PayPal ♦Day Bruno 

Saik Jose, CA 

March 22,2019 

$951.14 

PayPal ♦Day Bruno 

Sap Jose, CA 

March 15,2019 

$533.79 

PayPal ♦Day Bruno 

Sap Jose, CA 

March 8,2019 

$1,044.88 

PayPal ♦Day Bruno 

San Jose, CA 

March 6,2019 

$23.63 

PayPal ♦Day Bruno 

Sap Jose, CA 

March 6,2019 

$336.15 

PayPal ♦Day Bruno 

Sa^ Jose, CA 


27. The FBI collected additional infonnation on the subject, 

Califomia DMV records. The following identifiers relate to HASHME: 

DL Number: 

Name: Shaiii 
DOB 
Address 
Sex - M; 


Shariq HASHME, from 



-160 


28. According to one of HASHME’s social media profiles, he was most recently 


employed as an engineer at Company A and located in San Francisco, C'alifomia. HASHME is a 


citizen of the United Kingdom and is believed to have left the United States to live overseas on 


April 18,2019, due to an expired work visa. 


29. Con:q>any A advised that at no time during the aforemen|ioned cyber incidents 
was HASHME authorized to access or alter die data or contents of the internal payment database, 
or cause the aforementioned rewards payments to be made to himself. I 

30. Furthermore, Company A informed the FBI that an intoiial investigation revealed 
the destruction of payment database logs. Specifically, shortly after HiLSHME accessed internal 
Company A infirastructure via his Virtual Private Network (VPN), dataliase logs were altered to 
delete the record of some of the firaudulent payments sent to the PayPal account registered to 
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Bruno.Day. 1988@outlook.com, an account controlled by HASHME. 

Discovery of HASHME Arrival 

31. On August 7,2019, the FBI received information that HASHME was expected to 
return to the United States by way of San Francisco International Airport on or about August 9, 
2019. The FBI received additional information on August 9,2019 that HASHME is expected to 
return to the United States by way of SFO the next day, on August 10,2019. 

CONCLUSION 

32. Based on the evidence uncovered and the information provided by Company A as 
well as records received by the FBI, it is believed that HASHME conne|:ted to Company A’s 
internal payment servers to alter and divert bonus payments that were ujtimately deposited to a 
bank account he owned and controlled, resulting in losses of at least approximately $40,000. 
Furthermore, as advised by Company A, HASHME had no authorization, legitimate business 
requirements, or need, to access or alter payment information in Company A’s internal payment 
database. I respectfully submit that there is probable cause to believe that HASHME knowingly 
caused the transmission of a program, information, code, and command, and as a result of such 
conduct, intentionally caused damage without authorization, to a protected computer, and 
thereby caused loss to one or more persons during a one-year period affecting protected 
computers aggregating at least $5,000 in value, all in violation of Title 18, United States Code, 
Sections 1030(a)(5)(A), (c)(4)(B)(i), and (c)(4)(A)(i)(I). 


REQUEST FOR SEALING 

33. Because this investigation is continuing, disclosure of the arrest warrant, this 
affidavit, and/or this application and the attachments thereto will jeopardize the progress of the 


investigation. Disclosure of the arrest warrant at this time would seriously Jeopardize the 
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investi^tion; as such a disclosuie would allow HASHME to change pattpms of behavior, notify 
other confederates, destroy evidence, or flee or continue fligjrt from prosjcutibn. Accordingly, I 
request < ti»t the Court issue ah order that the complaint, arrest warrant, thjs afQdavif in siq)port of 
application for complaint and arrest warrant, and all attachments thereto ije filed under seal until 
further orda of this Court • ! 


Sworn to before me this ' day of August2019 


f 



———— 

ROBBIE J. ROBiRTSTON' I 
Special Agent { 

Federal Bureau of lnvestigati|on 


I5NORABLEELIZABE 



HONORABLE ELIZABETH D. LAPORTE 
United States Ma^strate Judge 
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